| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Dec 2018 14:40:02 -0800
From: Christoph Paasch <cpaasch@...le.com>
To: netdev@...r.kernel.org
Cc: Eric Dumazet <edumazet@...gle.com>,
Yuchung Cheng <ycheng@...gle.com>,
David Miller <davem@...emloft.net>
Subject: [PATCH net-next 0/5] tcp: Introduce a TFO key-pool for clean
cookie-rotation
Currently, TFO only allows a single TFO-secret. This means that whenever
the secret gets changed for key-rotation purposes, all the previously
issued TFO-cookies become invalid. This means that clients will fallback
to "regular" TCP, incurring a cost of one additional round-trip.
This patchset introduces a TFO key-pool that allows to more gracefully
change the key. The size of the pool is 2 (this could be changed in the
future through a sysctl if needed). When a client connects with an "old"
TFO cookie, the server will now accept the data in the SYN and at the
same time announce a new TFO-cookie to the client.
We have seen a significant reduction of LINUX_MIB_TCPFASTOPENPASSIVEFAIL
thanks to these patches. Invalid cookies are now solely observed when
clients behind a NAT are getting a new public IP.
Christoph Paasch (5):
tcp: Create list of TFO-contexts
tcp: TFO: search for correct cookie and accept data
tcp: Print list of TFO-keys from proc
tcp: Allow getsockopt of listener's keypool
tcp: TFO - cleanup code duplication
include/net/tcp.h | 2 +
include/uapi/linux/snmp.h | 1 +
net/ipv4/proc.c | 1 +
net/ipv4/sysctl_net_ipv4.c | 41 +++++++---
net/ipv4/tcp.c | 15 ++--
net/ipv4/tcp_fastopen.c | 192 +++++++++++++++++++++++++++++++++++----------
6 files changed, 193 insertions(+), 59 deletions(-)
--
2.16.2
Powered by blists - more mailing lists